Rumor has it that Patrick may have mentioned these words:
sendmail is a
piece of Swiss cheese when it comes to security and
it's only
of *when*, not *if* there is another security hole found.
What server software does this not apply to? --Patrick ;-)
qmail.
There has *never* been a "user-permissions" exploit (as in any user being
able to gain any permissions to any other user, including root) and the few
bugs that have been found generally just make it die.
There was a new bug that was just found in it - if a user sends a mail with
a header line longer than 2Gbytes, it'll crash that particular process, and
I think the mail is lost to the ether.[1]
All other mails will still be delivered fine, tho.
Why is the most secure MTA not included with every Linux distro? DJB's
license is (at best) wonky, to preserve his codebase & help alleviate
techsupport nightmares, and as it's not "Open Source" with fully
redistributable binaries, none of the linux vendors (except Gentoo, which
compiles stuff on the fly) will touch it.
http://www.qmail.org/ &&
http://cr.yp.to/qmail.html for more info.
Laterz,
Roger "Merch" Merchberger
[1] If you have people sending you 2G Header lines, you have a lot bigger
problems than one crashed qmail-smtpd process...
--
Roger "Merch" Merchberger -- sysadmin, Iceberg Computers
zmerch(a)30below.com
What do you do when Life gives you lemons,
and you don't *like* lemonade?????????????